It’s Time to Assume Your TV (and Your Game Console, and Your Smart Bulbs, and Your Smart Thermostat, and Your Smart Speaker, and Anything Else in Your House Connected to the Internet) Is Bugged

Yesterday, WikiLeaks opened the door to Vault 7, its code name for a new cache of records from the Central Intelligence Agency, specifically from the agency’s hacking initiative. One document apparently indicated that the CIA has figured out how to bypass the security on certain versions of iOS and Android (Apple says it’s already patched the security holes). Another document detailed a program called “Weeping Angel,” which turned Samsung TVs with internet connectivity into bugs, capable of being installed remotely, and picking up idle chitchat in people’s living rooms using Samsung’s built-in microphones.

The Vault 7 revelations are somehow both urgent and mundane. To people in whom the Trump administration is awakening a sense of paranoia that remained inactive during the Obama presidency — even as Obama’s DHS expanded its powers of surveillance to untold dimensions — the news that the CIA has the technical ability to hack into your consumer-grade TV is chilling. But for years, the manufacturers of consumer technology have been waging a cold war against the intelligence community, which believes it has both the moral imperative and legal authority to request backdoors into devices and software — or to create its own with a sledgehammer. Vault 7’s “Weeping Angel” documents are less revelation than confirmation. The conspiracy of mass surveillance became fact.

The justifiable paranoia of the privacy-conscious consumer can be debilitating. Many of us have spent the post-Snowden years leapfrogging between solutions to shield ourselves from prying eyes: delete Facebook, use end-to-end encryption, generate PGP keys, install Signal. But the CIA — the Vault 7 documents confirm — managed to find its way around those encryption measures by compromising mobile devices themselves. What use is an unbreakable envelope if someone can read your letter before it’s sealed inside?

None of this is to say that it’s a bad idea to use Signal or other encrypted communications — they’re still highly secure, and the CIA and its sister agencies are likely focused on cracking the phones of extremely high-value targets. And, for obvious reasons, tech companies should remain unwilling to admit defeat in this arena. Functional cybersecurity that works against both government agencies and individual bad actors is extremely important to a wired society.

But in the end, if you’re worried about state surveillance, it’s better to be safe than sorry. A good rule of thumb is that any vulnerability that is just being discovered, and only now being made public, has been known to the NSA for at least a year, probably more — and has been actively exploited by it, if not by other government agencies. And, more bluntly: If it connects to the internet, the state can watch you. Maybe multiple states.

This attitude is fatalist, but it’s practical. It sets the minimum standard for which tech is vulnerable to snooping at a level so low that it’s almost comforting. If you buy a device with internet connectivity, you are allowing yourself to be snooped on. You can still buy smart TVs, smart light bulbs, smart thermostats, and internet-connected teddy bears, if you want to. Just don’t assume that you can successfully prevent surveillance by turning off the Wi-Fi in your settings menu. If a device has a Wi-Fi card in it, or an Ethernet port, you should assume that it is insecure, and you should not be surprised when that assumption is confirmed. (This does not mean, however, that you shouldn’t be outraged.)

Keeping this in your mind can lead to some cognitive dissonance, but it’s nicely clarifying. I own a Samsung smart TV, and it is currently connected to my home network. I highly doubt that the CIA was listening in on me, but the opportunity was there. Here’s the thing: I don’t need a smart TV, and I didn’t when I bought it. I own at least three devices capable of streaming Netflix, I don’t need that functionality baked into the set itself. But — I was surfing Amazon and comparing prices — the TV with web connectivity and apps cost the same as one without, so I went for the model with more features. Given the options, I wouldn’t make that same choice today.

That’s how the spooks get you! More features does not always mean better, especially when it comes to the internet. You probably need a computer; you probably need a smartphone; you probably don’t need a Brita filter that can ping your router. (Which is not to say that I’m not also a willful idiot: I own a Google Home, which has no documented security flaws, but is an always-on microphone connected to the internet.)

The only truly effective way to resist these surveillance efforts is to actively choose products that don’t have any internal networking components whatsoever. Even then, the WikiLeaks disclosures have revealed attempts to breach that wall as well — viruses encoded on CDs and flash drives that are transported via “sneakernet,” and never need an IP address.

There’s no such thing as perfect, comprehensive security, but knowing that doesn’t mean giving in. It means keeping our eyes open, and being clear about the choices we make. Existing in our new cyber-hell — in which we are always being watched through dozens of network-connected devices — requires a recalibration of how we consume technology itself. We need to reject the idea that modern technology is secure unless proven otherwise. Being able to connect to the net, for a multitude of reasons, is not inherently good, and we need to start making a conscious effort to resist that notion. Hacks are always a matter of when, not if.